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Desynchronizability of (Partial) Synchronous 
Closed Loop Systems 


Harsh BEOHAR’, Pieter CUIJPERS! 


Abstract 


The task of implementing supervisory controllers is non-trivial, 
even though there are different theories that allow automatic synthesis 
of such controllers in the form of automata. One of the reasons for 
this discord, is the asynchronous interaction between a plant and 
its controller in implementations, whereas the existing supervisory 
control theories assume synchronous interaction. As a consequence 
the implementation suffers from the so-called inexact synchronization 
problem. To address this issue, we find sufficient conditions under 
which a synchronous closed loop system is branching bisimilar to its 
corresponding asynchronous closed loop system. Furthermore, we 
extend this result to include interaction of plant or supervisor with its 
environment. 


1 Introduction 


Supervisory control theory provides an automatic way of synthesizing a 
supervisor that forces a process to comply to a given requirement. In 
supervisory control theory terminology: 


e the model that is to be controlled is known as the plant, 
e the model that specifies the requirement is known as the specification, 


e the model that forces the plant to meet the specification by interacting 
with it is known as the supervisor or the controller. 
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e the interaction between a plant and its supervisor is known as closed- 
loop behavior. 


The closed loop behavior in supervisory control theory is realized by the 
synchronous parallel composition operator. Informally, it allows a plant 
and a supervisor to synchronize on common events when other events can 
happen independently. 

One of the main problems when implementing a supervisor that is 
synthesized by supervisory control theory, is inexact synchronization [8]. 
In practical industrial applications, the interaction between a plant and 
its supervisor is asynchronous, rather than synchronous, while supervisory 
control theory assumes a composition of plant and supervisor that ascertains 
strict interaction. By strict, we mean that either the plant or the supervisor 
has to wait for the other party while synchronizing. 

Balemi was the first to consider the inexact synchronization problem in 
the context of supervisory control theory [4]. An input-output interpretation 
was adopted between a plant and its supervisor, and a special delay operator 
was introduced to model the delay in communication between the plant and 
its supervisor. One of the main results of [4] was the existence of a supervisor 
in the presence of delays. However, the authors in [21] argued that Balemi’s 
construction was partially asynchronous in nature because the output actions 
from a plant can occur asynchronously, while the output actions from a 
supervisor must occur synchronously. In [21], this requirement was relaxed; 
necessary and sufficient conditions were provided for the existence of a 
controller under bounded delay between a plant and its supervisor. 

In [9], a synchronous closed loop system (SCLS) was considered to 
be a specification, with the asynchronous closed loop system (ACLS) as 
its implementation. The main result of [9], were a number of sufficient 
conditions under which a SCLS and its corresponding ACLS are failure 
equivalent [11]. This work was motivated by the so-called “Foam-rubber 
wrapper” principle [17], borrowed from the field of delay insensitive circuits, 
which states that “a process is delay insensitive if it is equivalent to the same 
process connected with buffers”. In [9], the foam-rubber wrapper principle 
was studied in the context of the parallel composition operator and it was 
shown that an extra condition is required to preserve this principle. 

In this paper, we address the issue of inexact synchronization in the 
process algebra TCP [3], and we determine sufficient conditions under which 
a SCLS and the corresponding ACLS are branching bisimilar rather than 
failure equivalent [18]. Our motivation for using such a fine notion of 
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equivalence, is that we would like our ACLS to have the same modal-logical 
properties as the SCLS. 

We observe the following differences between the related work mentioned 
above and our current work: 


e In this paper, we solve a refinement problem instead of solving a 
control synthesis problem (cf. [4, 21]). Rather than computing a 
new supervisor under the presence of delays, we assume a given plant 
and supervisor, synthesized using supervisory control theory, and find 
sufficient conditions under which such a synthesized supervisor can 
control the same plant in an asynchronous environment. 


e The key differences with the work of [9] are the type of buffers that 
is used, and the abstraction scheme (to hide the certain interactions 
in an ACLS). In this paper, we use a bag as the buffer and hide the 
interactions between a plant and the buffer (see Subsection 1.1 for 
details). 


We extend our previous result [7] to a class of SCLS called partial 
synchronous closed loop system (PSCLS), whose alphabet contains external 
actions of either the plant or its supervisor that result in interaction with 
the external world (environment). This makes it possible to desynchronize a 
SCLS present in a decentralized or hierarchical architecture (see [20] for the 
two architectures) by decomposing the given SCLS into a number of PSCLSs 
and by verifying each of the individual PSCLSs. However, more research is 
required to ascertain a SCLS in decentralized or hierarchical architecture 
as desynchronizable when each of the PSCLSs (constituting a SCLS) are 
desynchronizable. 


1.1 Architecture 


This paper and the companion paper [7] are the result of a pre-study carried 
out in [6], where four construction methods were proposed to construct an 
ACLS from its corresponding SCLS. In this subsection, we introduce the 
architecture of an ACLS, discuss the reasons for using a bag as a buffer, and 
describe one of the abstraction schemes that will be used throughout this 
paper. 

An ACLS can be constructed by introducing a buffer between a plant 
and its supervisor, thus decoupling the interaction between the two. In 
practice, the buffering mechanism is realized by the interactions of different 
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Figure 1: Asynchronous closed loop system in practice. 


layers (also known as protocol stack) as shown in Figure 1. Various authors 
[9, 10, 13] have abstracted from the interaction of different layers by using 
data structures based on a particular level of abstraction. For example, to 
model delay insensitive (DI) circuits, which are at a lower level of abstraction 
(physical layer), wires are used as a buffering mechanism [12]. On the 
other hand, to model data flow networks, which are at a higher level of 
abstraction (in comparison to DI circuits), queues are used as a buffering 
mechanism [10]. Systems with unordered message buffers are considered to 
be a convenient abstraction of systems with lossy FIFO-message buffers (see 
[16] and the references therein). Therefore, we use a bag as the buffering 
mechanism. In practice, such buffers can for example be implemented using 
the User Datagram Protocol (UDP) [15], which allows an unordered delivery 
of messages to a receiver. 

It is obvious that when introducing the bag as a buffer, the ACLS 
contains interactions that are not present in the SCLS. In order to be able to 
compare these two closed loop systems, it is therefore necessary to hide some 
interactions using a suitable abstraction scheme. We introduce bags between 
the plant and the supervisor, and distinguish the following alternatives for 
hiding part of the interaction: 


M1. we can hide the interaction between the plant and the bag (see Fig- 
ure 2(a)); 


M2. we can hide the interaction between the supervisor and the bag (see 
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Figure 2(b)); 


M3. we can hide the communication at the input of both the plant and the 
supervisor (see Figure 2(c)); 


M4. we can hide the communication at the output of both the plant and 
the supervisor (see Figure 2(d)). 


! ?a la ?a la 2a. ——_la ?a 
!b 2b Bag Ib 2 !b 2), Bag 'b 2b 


P 5 P | s 
2c \e 26 le 2c | ‘Ne 26 le 
lai __4Cy pqeE__tc| jefe __-c| 
2d 1d BAD 2G a 2d id Bag >i id 
(a) Construction method M1. (b) Construction method M2. 
Mente eal ge a eee 
| la | 2@ la 2a | 
Lele 
bi 2 ae wb _% | 
Se cial ae 
fe !é 2C Ic 
jefe __1ey : 
|, 2d 1, Bag ed !d 
[ee ee Oe ee ; 
(c) Construction method M3. (d) Construction method M4. 


Figure 2: Different ways to hide the interactions from an ACLS. The thick 
lines are used to show the visible interaction and the thin lines are used to 
show the invisible interaction. The notation !a means ‘send action a’ and ?a 
means ‘receive action a’. 


In this paper, we develop the theory for the construction method M1 (see 
Section 4 for the rationale behind this choice) and leave other construction 
methods as open for future study. Moreover, the techniques presented in 
this paper are restricted to reactive systems (so, no termination). 


1.2 Outline 


The remainder of this paper is organized as follows. In Section 2, we start 
our exposition by defining the overall background required for this paper. 
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Section 3 provides a brief introduction to supervisory control theory in a 
process algebraic way. In Section 4, the abstraction scheme for construction 
method M1 is defined formally. In Section 5, we give the formal definition of 
a desynchronizable closed loop system with the conditions that are sufficient 
for desynchronizability. In Section 6, we extend our results to PSCLSs. In 
Section 7, we discuss in the context of SCLS whether some of the suffi- 
cient conditions can be weakened any further. Finally, the conclusions are 
presented in Section 8 with some directions for future research. 


2 Background 


In this section, we define the basic notations and definitions that will be 
used throughout this article. 

Let Act be a set of action names. We use the symbols a,0,c,... to 
range over the set Act. Then we define the following actions for an action 
label a € Act, 


e !a: send action a. 
e ?a: receive action a. 
e ?a: communicated action a. 


Let A denote the set of all actions defined in the following way: 
A= {!a,?a,?a|ae Act}. 


The variables a, a ,a@2,--- are used to denote elements from the set A when 
the information about the type of action is irrelevant. 

Next, we give a brief overview of the syntax and semantics of the 
process theory TCP [3]. The set of process terms P is generated by the 
grammar given in Table 1. We let the symbols p,r,s,q,q', with indices, 
range over the elements of P, and fix p,r,s for the process terms associated 
with supervisory control theory. The constant 0 is an inaction process 
term. A unary operator a._ for each action a € A, denoting action prefix, is 
introduced in the TCP syntax. Intuitively, the process term a@.q performs the 
action @ and then behaves as the process term g. Observe that action prefix 
allows communicated actions in the syntax of a process term; this is required 
to model the requirements of a synchronous (asynchronous) closed loop 
system (see Section 3 for the formal definition of a plant, a supervisor and a 
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requirement). The binary operator + denotes the alternative composition 
or choice between any two process terms. The encapsulation operator 
On(_) blocks the execution of actions, which are the elements of the set 
H C A; while allowing the execution of actions present in the set A \ H. 
The abstraction operator 77(_) renames the actions in the set J to the silent 
step T ¢ A, and leaves the other actions unchanged. 


q := 0 inaction 

Q.g action prefix, where a € A 

qt+q' alternative composition 

q|l|,q parallel composition 

On(q) action encapsulation, where H C A 

Tr(q) abstraction (hiding of actions), where J C A 
X =t~ recursive definition, where X € V 

pr(q) renaming on process terms, where f : A — A 


Table 1: Syntax of TCP [3]. 


The synchronous parallel execution of two process terms q,q' € P is 
denoted as the term q || , q’, where ¥ is a partial binary function called 
communication function: y(!a,?a) = y(?a,!a) =a for any a € Act; ¥ is 
undefined otherwise. 

Let V be a set of recursion variables. A recursive equation [3] over the 
signature of TCP and Y is an equation of the form X = t, where X is a 
recursion variable from VY and t is a term over the signature of TCP in which 
no other variables than those from V occur. 

Finally, the renaming operator ps(-_) is defined on process terms, where 
f :A-— Ais a function on actions. Note that we use the renaming operator 
for technical reasons, not for modeling the basic entities in supervisory 
control theory. 

The semantic domain of the process terms is a transition system [3] 
and the meaning to each process term is given by the so-called structural 
operational semantic rules [14], given in Table 2. 


Definition 1. Let A, = AU {r}. A transition system over a set of actions 
A is a set Q of states, equipped with a transition relation > CQ x A, x Q. 
The transition system induced by the syntax of TCP is the tuple (P,—). 
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pp 
Sra th: = eee |) 
app p+q—p 
qt+p>p 
pop’ ed ee 
a W 
Pil,@>P Il, 4 Pi,gr' ll,” 


q\l,p> al, P 


pop ,ag¢H ; pop,ag¢l 3 pop,ael 


Ou(p) “> On(p') T1(p) “> Tr(p) t1(p) — T1(p) 
t3p,X= (8) pp tc ASA 
a fla 
Xp pr(p) <> psp’) 


Table 2: Operational semantics for a fragment of TCP, where a € AU {rT}. 


Definition 2. The alphabet of a process term q is a function Alph : P > A, 
that returns the set of atomic actions that it can perform. It is defined as 
the least solution (w.r.t C) of the following equation: 


Alph(q) = {a|qSq}U L Alph(), 
qq 
Alph(q) = 0 if fd',a.[q > d). 


Note that the alphabet of a process term q is not defined as the alphabet 
operator of TCP process algebra, since it returns only the visible actions of 
a process term and here, tT € Alph(q) is possible. 


As mentioned in the introduction, we use branching bisimulation to 
relate a SCLS with its corresponding ACLS in which 7 actions are present. 
The presence of T actions in an ACLS will become evident in Section 4. The 


notation q a qd’ for some w € A* is inductively defined in the following 
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way, 


q—~+ ¢ =q—>¢ if w =e, 


q—— ff 23d" Ig > a" Ng! — d). 
The function Reach : P > P gives the set of reachable states for a state, and 
is defined Reach(q) = {q' | dw.[q as q'J}. 


Definition 3. A binary relation ® C PxP ts called a branching bisimulation 
relation /3, 18] iff: 


_ T 
eVa,u,7,0 € A. (a4) E AGS a => A¢,4.|¢d — GX > 


de \(a,%) € BA (M19) € o]|. 


* 


= i 
e Va, ad. |(ad) EG®AG>u = (4,7) € OV Agi, a-[¢ —> a > 
%A(GG) € PA (G1, %) € o]|. 


* 


= Tt 
0 Vad. ha € A. (a4) EA Sd => 3n,.2.\¢ — 4a > 


aN (a1,4) €®A (qa,q4) € I). 


* 


mg Ki 
° vad, 41-[(a.4’) EBA Sg => (44) € BV IN,2.[¢ 41> 
aN (a4) €®A (qa,q4) € O]. 


Two processes q and qd’ are said to be branching bisimilar, denoted as q @»y q’, 
iff there exists a branching bisimulation relation ® such that (q,q') € ®. 


Note that the branching bisimulation equivalence relation is not a con- 
gruence on P; although, it is congruence for the parallel composition operator 
||,- To remedy this defect, a well-known extra condition of rootedness is 
required (see [3] for details). 


3 Supervisory Control Theory 


In this section, we give a brief introduction to supervisory control theory 
and define its fundamental entities in our setup. The basic entities (a plant, 
or a supervisor, or a requirement) in the supervisory control theory are 
deterministic automata. Furthermore, the proofs of Theorems 1 and 2 
require the fact that a given SCLS is also deterministic process. 
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Definition 4. A process q € P is called deterministic iff 
Vai; 92; 93,0 € Ar. [a1 € Reach(q)\ qi > Ag > 3 > @=4,\ , 


where the symbol = denotes syntactical equivalence between the process terms. 


In supervisory control theory, plants and supervisors are allowed to 
perform events that are divided into two disjoint subsets: controllable events 
and uncontrollable events. The idea behind this partition is that the supervi- 
sor can enable or disable controllable events so that the closed loop behavior 
is equivalent to the requirement. The supervisor can observe but cannot 
influence uncontrollable events. In this paper, we follow the input-output 
interpretation [4] between a plant and its supervisor, wherein the uncontrol- 
lable events are outputs from a plant to a supervisor and the controllable 
events are outputs from a supervisor to a plant. Thus, processes that model 
plants or supervisors must have distinct input and output actions their 
alphabet. Such processes are called input-output processes. 


Definition 5. The set of input actions for an arbitrary process q € P 
is denoted by Alph’ (q) and is defined as Alph’ (q) = {a |?a € Alph(q)}. 
Similarly, the set of output actions (denoted by Alph' (q)) is defined as 
Alph! (q) = {a |!a € Alph(q)}. A process q is input-output process iff 


Alph’ (q) A Alph! (q) = 0 A Alph(q) AI =0A7 ¢ Alph(q), 
where I = {?a| ae Act}. 


The condition Alph(q) J = 0 ensures that an input-output process 
does not contain communicated actions in its alphabet. This is because 
bags are introduced to buffer both input and output events of input-output 
process g € P; if communicated actions were allowed in the specification of 
the process q, the information whether the action !’a is an input or an output 
action of the process gq would be unknown. Finally, the third condition 
T ¢ Alph(q) ensures that the silent action is not present in the alphabet of 
both, the plant and the supervisor. 

We now define the three basic entities of supervisory control theory 
in our formalism. A plant p € P is a deterministic input-output process. 
Similarly, a supervisor s € P is a deterministic input-output process. A 
requirement is a process specifying the legal interaction that should occur 
while the plant and its supervisor are interacting such that a required task 
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(for which the supervisor is synthesized) is completed. Thus, a requirement 
is a deterministic process r € P such that 


Alph(r)N H =@A7 ¢ Alph(r), 


where H = {!a,?a | a € Act}. This condition ensures that a requirement 
process only contains communicated actions in its alphabet. 

Now, we can state the control problem as follows: given a plant p and a 
requirement r, find a supervisor s such that 


On(p lly s) pr. 


In this paper, we are not interested in how this supervisor is computed. 
Instead, we assume that we are provided with a solution to the above 
equation. The goal of this paper is then to find certain conditions on the given 
SCLS such that it is branching bisimilar to the corresponding ACLS, which 
we define in the next section. Note that in supervisory control theory the 
control problem is based on language equivalence, but branching bisimilarity 
coincides with language equivalence in the presence of determinism and in 
the absence of 7 actions. However, we use branching bisimulation because 
the asynchronous closed loop systems as constructed in the next section 
are always nondeterministic. The cause of nondeterminism is due to the 
abstraction of interactions between a plant and the bags. 


4 From Synchrony to Asynchrony 


The aim of this section is to formally define the construction method M1 
(see Section 1) when a SCLS is given. Next, we define a multiset and some 
operations over multisets in order to define a bag as a process in TCP. 

A multiset € over the set of communicated actions J is a function 
€:I—N that returns the corresponding multiplicity of the elements in a 
multiset. We write the empty multiset as « : I > 0, where Va € I./€(a) = 0}. 


Definition 6. Let €: I > N be a multiset over the set I. 


e The predicate €' is used to denote an element that belongs to a multiset. 
It is defined as Pa € € SPa € IA E(Pa) > 0. 


e The operator ® is used to denote an addition of an element to a 
multiset. It is defined as EDa = £', where €'(Pa) = €(Pa) + 1 and 
&'(a) = €(a) for alla APa. 
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e The operator © is used to denote a removal of an element from a 
multiset. It is defined as E0?a = €', where "a € €,€/(Ra) = €(Ra) — 1 
and &'(a) = €(a) for alla #?a. 


e The size of a multiset €, notation ||, is defined as |€| = dyacie €'(@)- 


Next, we give a process algebraic definition of the construction method 
M1. Recall that the interactions between a plant and the bags are to be made 
hidden in the construction method M1; such interactions are represented 
with an auxiliary set [ = {"a@| a € Act}. Similarly, we assume that the sets 
A, H are defined. 


Definition 7 (Bag). A bag process of size n over a set of action labels 
A, C Act is defined in the following way: 


BYy(e) = 5) 74.Bi, (cea) , 
acA, 
Bu (€) = S-'a.BY, (€oPa) + S~76.B4, (EBRD) 
Rae’g be Ay 
if |€l<n, 
Bu(é) = > '4.B5, (ora) if [él=n, 
Pae’é 


where >> is the generalised choice that generalises the choice between an 
arbitrary number of processes [3]. 


Given a SCLS 0y(p ||, 5), the corresponding ACLS constructed using 
the method M1 is denoted by the process term: 


TAOqU A Illy Ble, €l lly 8)) (1) 
for some m,n > 0, where 


e The notation Be, ¢] represents two empty interleaving bags and is 
defined in the following way: 


Ble, e] = BA, (€) || B4,(€), 


where A, = Alph? (p), Az = Alph' (p). The variables m > 0 (n > 0) 
denotes the size of bag associated with input (output) actions of the 
plant p, and the sets A; and A» denote the set of input and output 
action labels of the plant p, respectively. 
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ey: (4 U A) x (4 U A) = (4 U A) is the modified communication 
function (or the abstraction scheme for method M1) defined in the 
following way, 
Ra i Pa i ? 
n!(la, 24) = Ra 3 ae pa (p) (1a, 2a) = ra 7: ae Sc (p) 
Pa if a € Alph (s) Pa if a € Alph’ (s) 
Intuitively, the communication function 7 with the operators 0,),,4,7; 
ensures that an ACLS contains only communication actions in its 
alphabet, and the interactions between a plant and the bags are 
invisible while the interactions between a supervisor and the bags are 
visible. 


We explain the above construction with the help of Figure 3. Consider 
that the process p is able to send an output !a and the process s is able 
to receive the input ?a. The modified communication function y' then 
transforms 


e any interaction a between the process p and the bag B” to !?4a; 
e any interaction a between the bag B” and the process s to Pa. 


Furthermore, the operator 7;(_) in the ACLS (Equation (1)) renames the 
interaction !?a to the silent step T. 


Figure 3: An ACLS constructed using the method M1. 


Now consider (Figure 3) that the process s is able to send an output 
!b and the process p is able to receive the input ?b. The function y’ then 
transforms 


e any interaction b between the process s and the bag B™ to !b; 


e any interaction b between the bag B™ and the process p to Pb. 
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Furthermore, the operator 7;(_) in the ACLS (Equation (1)) renames the 
interaction !b to the silent step T. 

The rationale behind the choice of M1 is based on the observation 
that the transition system generated by a supervisor s is isomorphic to the 
corresponding SCLS dy(p ||, 8), modulo the difference in the type of action 
labels [6]. This is because in the synthesis of supervisors no transitions are 
introduced that a plant cannot execute. Moreover, the action labels in s will 
be decorated as either an input action (?) or an output action (!) while in 
Ox (p ||, 8) the same label will be decorated as a communicated action (!?). 
Formally, this fact is equivalent to 


p(s) & On(p I, 8) 


where, f : A > A is a function that renames an input/output action 
to a communicated action, ie., V?a,!a € A.[f(!a) = f(?a) =a]. Asa 
consequence, the supervisor model remains unaffected in the abstraction 
scheme M1; while, in the other abstraction schemes (M2, M3 and M4) this 
fact does not hold. Thus, it is easier to study abstraction scheme M1 than 
other schemes. 


5 Desynchronizable Closed Loop System 


In the previous section, we have shown how to construct an ACLS from a 
given SCLS. In general, the newly constructed ACLS will not be branching 
bisimilar to the given SCLS (for instance, see Example 1). For this pur- 
pose, we find the sufficient conditions under which a SCLS is branching 
bisimilar to the corresponding ACLS. Such synchronous systems are called 
desynchronizable closed loop systems. 


Definition 8. Let O7(p ||, 5) be a SCLS and let m,n be any two nonzero 
natural numbers. Then, Oy(p ||,, 8) is said to be desynchronizable with input 
and output buffers of size n and m (or in short desynchronizable closed loop 
system), respectively, if 


Ou( ||, 8) 20 TOquAlP lly Ble, €l lly 5)) - 


We now present three sufficient conditions for desynchronizability. The 
objective of these conditions is the following. The conditions given in 
Definition 9 and Definition 10 prevent an ACLS from getting deadlocked. 
The condition in Definition 11 ensures that the silent steps introduced by 
the abstraction scheme are inert with respect to branching bisimulation. 
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Definition 9. Let Oy(p ||, s) be a SCLS. Then, On(p ||, 8) ts called well 
posed if there exists a binary relation W C P x P such that (p,s) € W and 
the following conditions are satisfied: 


e Va,p,p', 8. |(p,8) E WAp Sp = ser E “4 gd (p!, 8!) E w]| 5 


e Va,p,s,s'. |(?,8) EWAs 14, gf = Fpl. [p = BACs!) E w]|- 


In other words, if a plant (supervisor) is able to send an output label !a then 
the supervisor (plant) is able to receive the input label ?a. 


We now partition the set J of communicated actions into two disjoint 
ers | . 
non-empty subsets LE, ris with respect to a plant process p as: 


e 1) = {Ra |Pa € I Aa€ Alph’ (p)}. 
e rE 4 {Pa |Pa € TA a€ Alph' (p)}. 
Definition 10. Let fi € ie and V € i. be sequences in I and i respec- 
tively. A SCLS On(p ll s) is said to satisfy the reordering property iff both 
the following conditions are satisfied, 
fe Vp’, p2, 8, On (pr lly 81) € Reach(0y(p ls s)), Pa € a 


Hla / / a 
[Ax (p1 ||, $1) ——> du (0' |, 8!) Api > pa > 


4s9./0n(p1 le 81) 7s, On (p2 ¥ s2)]] 


2. Vp’, 8’, 82, On (p1 lly 81) € Reach(Oy(p 


! 
|, $)), Pa € Zp. 


va 5 ; 2a 
[Ou (pi ||, $1) ———> On(P' ||, 8°) A 81 > 52 > 


Ap2-[On(p1 ||, $1) “*, Ou(pe y 82)]. 


Informally, the reordering property states that if the receiver (plant or 
supervisor) is willing to receive an input ?a and the sender (supervisor or 
plant) can perform a sequence of outputs ji.!?a, then the receiver can receive 
the message a before receiving the sequence of outputs / in the SCLS. This 
is due to the nature of buffers (i.e., bags) that are inserted between the plant 
and its supervisor. 
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Figure 4: An example showing a deadlock in the ACLS, which is not present 
in the SCLS. Notation, p[u,v]s = T7Oq yq(? lly B"H, YI || 8). 


Example 1. Consider the behaviour of a plant p and its supervisor s specified 
by the following set of equations: 


p =?a.pi+?b.p\ py =?b.po po =!c.p3 
s =!a.s1 8, =!b.s9 89 =?ce.83 


The behaviour of the SCLS On(p ||, 8): 


Ox(p ||, 8) =Pa.0n(p1 ||, 81) On (pr |[,, 81) =2b.0x(p2 I, $2) 
Ox (p2 ||, $2) ="c.0x (ps ||, 83). 
The transition system generated by the ACLS T;(On 4 (P lly Ble, €] Il," $)) 
is depicted in Figure 4. Note that the interactions in ACLS can delay in 


the buffers, so the supervisor can perform the output sequence !a.!b without 
allowing any moves from the plant p, 1.e., the reachable state 


77 Opa lly B""[{2a, 20}, €] lly 82)). 


Due to the equation p =?a.pi+?b.p), the plant can remove the input b from 
its input bag before the input a and leading the ACLS into a deadlock state 
(shown as rounded rectangle in Figure 4). 


Definition 11. A process q € P is said to satisfy the diamond property iff 
the following condition holds (see Figure 5) 
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Figure 5: Diamond property. 


e Van, a2, 41,425 43- 1 € Reach(q) A m1 S, q2\ 1 2, q3 \a, # a2 > 


Fqs.[a2 > ga Ag3 > aul| 


For a reader familiar with the concepts of true concurrency [19], the 
conditions given in Definitions 4, 10 and 11 are similar to the axioms of 
asynchronous transition systems. The formulation of these axioms is based 
on the definition of an independence relation, which is an irreflexive and 
symmetric relation on the set of actions A. However, the techniques for 
desynchronizability for such models are not investigated here, although it 
will be worthwhile to examine this research direction in the future. Note that 
in our approach we do not need an additional notion of the independence 
relation. 


5.1 Sufficient Condition for Desynchronizability 


In this subsection, we first introduce a notion of sequence generated from 
a multiset. Secondly, Definitions 10 and 11 are lifted from an action to 
a sequence of actions. Finally, we prove the main theorem stating: If an 
arbitrary SCLS 0x(p ||. s) satisfies the conditions in Definitions 9, 10, and 
11 then 


Ym,n > 0. |On(p ll Ss) 7p TO AP ll Be, ¢] ly s)) 


We fix the symbols p,v for the contents of the bag attached to input 
and output actions of the plant process p, respectively. Formally, Va € 


! _ ? —_ . . . 
T,,.[u(a) = 0] and Va € J,.[v(a) = 0]. For an arbitrary multiset €, we write 
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& to denote a sequence generated from this multiset. For example, consider 
a multiset € = {!a, a,b, Pb}. Then a possible sequence € over the given 
€ can be of the form <!?a.b.Pa.!?b >. Let f; : I* — H* be the function 
defined as f;(!a. é) =a. fi(€). Similarly, let f, : I* — H* be the function 
defined as f,(a.€) =!a.fo(€). 


Proposition 1. — 1. Given a trace Oy(p ||, s) a On (pi ||, $1), we find 


: : fii 
using the above function f; and semantics of ll, that p ———» p, A 
fo(i) 


Ss ——>  $]. 


2. Similarly, given a trace Oy(p ||, s) aii Jn (pi ||, $1), we conclude 
fo(¥) fi(¥) 
that p ———» p, \ s ———> §}. 

Lemma 1 is a generalization of Definition 11. It states that if two 
different states qi, q2 are reachable from a state qo, then there exists a state 
qg3 reachable from q, and qe such that, the trace between qo, gq, and the trace 
between go, g2 commute. 


Lemma 1 (Generalized diamond property). Let On(p ||, ) be an arbi- 
trary SCLS satisfying the diamond property (Definition 11). If O#(p1 le $1) € 

é é! 
Reach(0x (p ||, )) and Oy (p1 ||, 81) —* On(p2 ||, $2) A Ox(p1 ||, $1) — 
dx (p3 ||, $3) then, 


. y € 
Spa, 84.[On (po lL, 82) ——» On (pa ll sa) \ On (ps3 ll, 83) —» On(p4 - 84)]. 


Lemma 2 is the result obtained by direct instantiation of the reordering 
property (Definition 10) and the generalized diamond property (Lemma 1). 


Lemma 2. Let On(p lly s) be a SCLS satisfying the conditions in Defini- 
tions 10 and 11. 


fi.Pa 2 
1. Suppose a € res A On(p ||, 8) ——» On (P2 ||, $2) AP BEN p then, 


ah laniv ene ene mene ss) | 


va ? 
2. Suppose Va € A A Ox(P ||, 8) ———> On(p3 ||, 83) A 8 —*, 81 then, 


Sp. laut lly 8) “* On(p Il, $1) —» du(p3 lly ss) 
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Proof: We give the proof of Item 1 only. It is given that On(p || 8) satisfies 


= 


fi.Pa 
the conditions in Definitions 9, 10 and 11 with Pa € 7 MOn(p ||,5) ——— 


On (p2 I 82) \p s pi. Then by the reordering property (Definition 10) we 
get, 


3s1.[On(p ||, 8) “> An (Pr |ly 81)] - 


i. 
By the given transitions On (p ||, ) Ss Oi (p2 ||, $2) we infer that, 


af of fi ! ry Ra 
Sp, $1-[Ox(p ||, 8) —> On (01 Il, $1) — On (v2 |, 82)] - 


Applying the generalised diamond property (Lemma 1) at the state Oy(p ||, ) 
we get, 


On(p1 ||, 81) ——> Ou (p2 lly 2) - 


Hence, the desired result is achieved. Likewise, Item 2 can be proved. 


Theorem 1. Let Oy(p ||, 8) be an arbitrary SCLS satisfying the conditions 
in Definitions 9, 10 and 11. Then for any m,n > 0 we have, 


uP lly 8) 20 77 Op ue lly Bese] lly 9) 
Sketch of the proof: Define a relation ® as follows. 
= {(u(p lle a) th One IL, Be" (a, vy] II 8))) 


(v' pApHeKUHe 


As’. [On (p ||, 8) —» u(y! I, 8) 


Gs 
= 
II 
a) 
> 
u 


(v =eAAs'.|Oy(p' is s') ae On( |l, s)| 
(Sp", 5", 5" [Bu(0! |], 5)  au(o" ||, 8") > du |, )] 
(2p", 5", s”.[Bir( ll, 8) —» Ou" IL, 8”) —— An", 8")]) }- (C5) 


Note that the above conditions C1, C2, C3, C4 and C5 are independent of 
n,m. The proof of the theorem is based on showing that ® is a witnessing 
branching bisimulation relation. A state On(p ||, 8) in a SCLS is related 
to those states in an ACLS that contain the same supervisor state s. The 
® relation between two states is indicated by dotted lines in Figure 6. The 
complete proof uses a lot of case distinction and can be found in [5]. 


24 H. Beohar, P. Cuijpers 


C4 and C5 


Au (Pr lly 81) 


dx (p3 ||, 3) 


Figure 6: Illustration of the relation ©®, where plu,vjs = 
TOn A? lly B’’" [HY] II $))- 


— a al atl 
———— -—_—_—————————— ———> 
Alph(p) P Alph(s) 
—— <—_—_————————“ <_—— 
=< —_—_—_—_—_—_— <_ 


Figure 7: A partial synchronous closed loop system. 


6 Desynchronization of Partial Synchronous Closed 
Loop Systems 


In the previous section, we showed that the well posedness, reordering 
and diamond properties are sufficient conditions under which a SCLS is 
desynchronizable. In this section, we extend the desynchronizability result 
to a class of SCLSs whose alphabet not only contains interaction between 
a plant and its supervisor; but also, external actions of plant or supervisor 
or both. These external actions will result in interaction with an external 
environment. Such closed loop systems are called partial synchronous closed 
loop systems (PSCLSs) and Figure 7 shows the context diagram of a PSCLS. 
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To carry out similar work as in Section 5, we first modify the definitions 
of a plant, a supervisor, and a requirement in order to construct a PSCLS. 
Secondly, we extend the definitions of the aforementioned sufficient conditions 
in a conservative way. For a plant p (supervisor s), we assume a given set of 
external actions Alph(p) (Alph(s)). 


Definition 12. A plant (supervisor) p € P (s € P) is an input-output and 
deterministic process such that the set of external actions are nonempty, 1.e., 
Alph(p) 4 0. Define the modified blocking set, 


H(p,s) = {a,8 | a ¢ Alph(p) \ 6 ¢ Alph(s)}. 


A requirement r € P for a partial SCLS Oy (p,s)(p ||, 8) 1s @ deterministic 
process such that, 


Alph(r) 1 H(p,s) =OAr ¢ Alph(r). 
Furthermore, the control equation in this new setting is the following. 


On(p,s) (P ly 8) yr. 


The above modifications results in the following change of the definition 
of the communication function yy’ which implements the abstraction scheme 
M1. We write the ACLS as 


ae 


T;(On(p.syuA(P.s)(P lL, BP" (e, €) [lv 8) 


(for some m,n > 0), constructed from a PSCLS Oy(p,5)(p ||, #) with, 


(la, 74) = i if !a € Alph (p) A !a € H(p, s) 

Ra if !a € Alph'(s) A !a € H(p,s) 
4 if 2a € Alph’ (p) A 2a € H(p,s) 
Pa if ?a € Alph’ (s) A ?a € H(p,s) 


d 


7 (!4, ?a) = 


Informally, the above definition of communication function 7/ not only 
implements the abstraction scheme M1, but it also restricts the commu- 
nication of external actions of both the plant and the supervisor with the 
bags. 
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6.1 Modified Sufficient Conditions 


In this section, we extend the well-posedness, the reordering and the diamond 
property in a conservative way. Furthermore, we introduce an additional 
property, called fair-noise property, that ensures the presence of external 
actions of plant is safe. The intuition of these conditions will be explain 
alongside with their respective formal definitions. 


Notation. We write a PSCLS 0y(p,s)(p ||, ) a8 Oo(p ||, #) and the corre- 
sponding partial asynchronous closed loop system as V(p || a BO le, el lar): 
Definition 13. Let 0,(p ||, 5) be a PCLS. Then, o(p ||, s) is called well 


posed if there exists a binary relation W C P x P such that (p,s) € W and 
the following conditions are satisfied: 


1. Vp, p’, 8, a. |(p,8) EWAp 14, ofA la ¢ Alph(p) > 


Js’.[s 1% sl A (p',s')E w]); 
2. Vp, p', 8, a. |(v,) EWApSp' Aa€ Alph(p) = (p',s) € w] , 


3. Vp, s,s’, a. l(», s)EWAs 4 IA la ¢ Alph(s) > 


3p! [p “sp! A (p', 8’) € w]]; 


4. Vp, s,s’, a. l(», s)eWAs%8' Aa€ Alph(s) = (p, 8’) € w : 


The conditions 1, 3 in the above definition are the usual conditions 
(see Definition 9) of well-posedness property. However, the conditions 2, 4 
ensures that an external step q © q/(a € Alph(p) U Alph(s)) performed at a 
receiver’s state (either plant’s state or supervisor’s state, i.e., g = p or gq = 8) 
do not alter the set of input actions enabled at the state q and thus remains 
well-posed. 


As already mentioned, the above well-posedness property was designed 
to prevent a PSCLS from getting deadlocked. Unfortunately, the well- 
posedness property alone is not sufficient for this purpose. The following 
example illustrates this fact. 


Example 2. Let a € Alph(s) and consider the following equations describing 
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the incomplete behaviour of a plant and a supervisor. 


p =?a.0+?b.p, s=!b.s1, 8, =a.82 

p, =?a.p2, po =!c.p 89 =!a.83, $3 =?c.s8 
Figures 8(a) and 8(b) shows the transition system of Oo(p ||, 8) and 
V(p ||, B™" |e, €] ||, 8), respectively. Note, that the PSCLS 0o(p ||, 8) 1s 
deadlock free; however, the ACLS V(p ||, B™"[e, €] ||. 8) contains the fol- 
lowing deadlock trace <'b.a.Pa.tT >. 


Thus, the following reordering property is designed to eliminate such 
scenarios. 


Definition 14. Let ji € (I; U Alph(s))* and 7 € (I, U Alph(p))* be se- 
quences in 6s and Ih. respectively. A PSCLS O.(p ls s) is said to satisfy the 
reordering property iff, 


hd Vp", p2, 8", Oo (pi lly s1) = Reach(0,(p lly s)), Rae she 


fi.Pa / / a 
[2s(P1 Il, $1) ———» Ao(0' IL, 8!) Api + po > 


= Ra 
3s2.[Ao(pr |], 91) “+ As(p2 [ly $2)] | 
e Vp’, 8’, 82, 0o(p1 ||, $1) € Reach(0o(p ||, s)), Pa € c 


DRa F ; 2a 
[2s(p1 ll, $1) ——» Bol! IL, 8") As1 > 59 > 


Apo [A(p1 ||, 81) “+ o(p» II, $2)]].- 


In the new setting, the diamond property (Definition 15) also ensures 
that the silent steps generated by the abstraction scheme are inert. 


Definition 15. A process q € P is said to satisfy the diamond property iff 
the following condition holds: 


e Van, a2, 41,42, 43-1 € Reach(q) A m1 Sea era ~a.> 


Fqa-[a2 > a4 A g3 “> al| . 


We have extended the old sufficient conditions in the setting of PSCLSs 
and expect the desynchronizability result to hold via a branching bisim- 
ulation relation ® ? similar to the one used in the proof of Theorem 1. 


?We introduce a different notation for branching bisimulation in the context of PSCLS 
because of the presence of external actions of a plant and its supervisor. 
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Pe a 


(a) Transition system of 


Au(p ll, 8): 


[Yer lly Bleed lly §)] 


E 


[Ve lly Bm [{2b},€ ie) 


ee 


[VP lly B™"({20}, ye 2) | [7 (01 lly Bleed lly 81) | 


[Fr lly B™" Les] lly 2)] 


[Fe ll, Bere, Pa}. el ly 9)] 


[FO ly Be"i(L}.<] lye s)| (VO x Il B™lWa}. l lly 9) | 


(b) Partial transition system of V(p I, B'" |e, €] ||, 8) showing the deadlock at the 


state V(0 IL BP?" [{2O}, €] |], 8)- 


Figure 8: Example 2 
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The idea behind the design of the relation ® should be to relate a state 
Oo(p ||, 8) in a PSCLS to those states V(p! ||, B™"[H,v] ||. 8) in an ACLS 
that contain the same supervisor state s. This is due to the abstraction 
scheme used to construct a partial asynchronous closed loop system from a 
given PSCLS. Unfortunately, there are certain scenarios (explained in the 
following paragraph) due to the external step made by plant, which cause 
more behaviour in an ACLS that will not be present in the corresponding 
PSCLS. However, if a PSCLS contains only the external actions of the 
supervisor (i.e. no external actions of the plant) in its alphabet then the 
above modified conditions are sufficient for desynchronizability. 

Next we explore the scenarios in which the external step made by a 
plant in a PSCLS obstructs its desynchronizability. 


[PP ly Bese ly 9) 


T 


[1 y Ble, Pa lly 8) [$2 [Fos Ly Bel ly 51)] 


a Qa 


v 
7a Pa es 
[ (pe lly Ble, {Pa} lyr 8) > +] Vo [Lye Bese] lly 51) | 


Figure 9: Transition system of V(p l|, B’" |e, €] || 8) in the Example 3. 


Example 3. Consider the behaviour of a PSCLS specified by the following 
equations 


Oo(p ||, 8) = Pa.do(pr ||, $1); A(pr1 ||, $1) = a-9o(p2 ||, 81) 


where Va € i, a € Alph(p). The transition system generated by the ACLS 
is shown in Figure 9. Immediately, we observe the trace < T.ala > from 
the state V(p ||, B™" |e, €] ||, 8) and thus disallowing the states Oo(p ||, §), 


V(p1 Il, Ble, {Va}] ||, 8) to be related by a branching bisimulation rela- 


tion ®. Moreover, it contradicts our intuition about ® that “a state do(p ||. 8) 
in a PSCLS to those states in an ACLS that contain the same supervisor 
state s”. To rectify this, we require that the state Oo(p ||, s) must contain 
the trace < aa > reachable to the state Oo(po ||, $1). This leads to another 
sufficient condition. 
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Definition 16. Let la € ie and a € Alph(p). A plant p satisfies the 
fair-noise property in a PSCLS 0,(p ||, 5) uff 


Pa.a 
VAo(P1 ||q, $1) € Reach(I(p ||, 8))-[Ao(p1 lly 81) ——» o(P2 ||, 2) 
= 3p\.[Bo(p1 Il, 61) + Aol IL, 91)]].- 


Lemma 3. Let 7 € Loe a € Alph(p) and 0,(p; ||, $1) satisfies the fair- 
noise property (Definition 16) and the diamond property (Definition 15). If 


Oo(p1 Ib s1) meaner Oo(p2 lly s2) then, 


Ap -[2o(P\, |, 81) ——» Ao(p2 ly 2)]. 


Proof: Straightforward, by induction on V. 


Proposition 2. Let 7 € EN € Alph(p)* and suppose 0,(p ||, 5) satisfies 
the fair-noise property (Definition 16) and the diamond property (Defini- 


tion 15). If Ao(p ||, 8) ——» Ao(pr ||, 1) then, 


om D 
p', 8’. |Oo(p ly) ——> do (p! ly s!) —» do(p1 lly $1) 


Proof: Direct from Lemma 3. 


Lemma 4. Let 0,(p ||, 8) be an arbitrary PSCLS satisfying the extended 
diamond property (Definition 15). If Oo(p1 ||, $1) € Reach(0(p ||, s)) and 


é a 
Oo(P1 lh 81) = Oo (p2 lle 82) A Oo(1 ll 81) — = Oo (p3 ll 83) then, 


= 


Z é é 
Apa, $4-[Oo(p2 ||, $2) ——» Oo(pa ||, 84) A Oo(p3 ||, $3) —> A(pa || $4)]- 


Lemma 5. Let 0o(p1 ley 81) be a PSCLS satisfying the well-posedness (Def- 
inition 13), reordering property (Definition 14) and the diamond property 
(Definition 15). Suppose Pa € as & € (Alph(p) U Alph(s))* such that 


o Pa 
o(1 lly 81) —-» Bo(P2 lly 82) £2 Ae(ps lly 83). Then, 


14 loa 
Ps, 83-[Bo(p1 ||, $1) —> Oo(p% |, 83) ——* Oo(ps |l,, 83)]- 
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Proof: We use structural induction ono to prove this result. Without loss 
of generality, assume that ¢ = a.c’. Consider the transition O5(p1 ll, 81) > 


o(Pi ||, $1) 5. Os (p5 Il, $2) a Oo(p3 ||, $3). By induction hypothesis we 
have, 


ig o” 
Ps, 83-[Oo(P4 lly 81) —* Oo(D% |, 83) ——> Oo(ps |l,, $3)].- 


We identify two cases based on the external action a performed either by the 
plant (p) or the supervisor (s). 


1. a € Alph(p). Then by semantics of ||,, we know that 51 = s. Further- 
more, from the induction hypothesis, a € I; and the semantics of lL, 


we get, p' =o p3\ si i 85. By applying well-posedness (Definition 13) 
at the state 0o(p1 ||, 81) we get, 


a Pa 
Apt [9o(p1 ||, $1) — (pi ||, $3)]- 


Applying the Lemma 4 we get the desired result, 
? 
Bo(P1 lly 81) > Oo(PT lly 83) “> Ao(P5 [ly $3): 


2. a€ Alph(s). Then by semantics of ll we know that p, = p|. Further- 
more, from the induction hypothesis, Va € i and the semantics of lL, 


? ! 
we get, pi, —> ps As, “> 84. Using Definition 14 with the transitions 


ala ? 
Oo(p', ||, 81) ———* 0o(p ||, 8%) and pl, > ps we get, 


5 P 
Apt, s{-[8o(P4 ll, $1) > A(T IL, s1)]- 


Applying the Lemma 4 we get the desired result, 


fg 
Bo(P4 [ly $1) — Oo(PH Ily St) > Ao(P% IL, $3). 


Lemma 6. Let 0o(p1 ly 81) be a PSCLS satisfying the well-posedness (Def- 
inition 13), reordering property (Definition 14) and the diamond property 
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(Definition 15). Suppose Pa € qi, g € (Alph(p) U Alph(s))* such that 
o Ra 
Oo (p1 ll 51) » Oo (p2 ll $2) — Oo (p3 Ih $3). Then, 


_ 14 loa 
p's, 85.[8o(p1 ||-y $1) —> Ao(P5 |], 83) —* Oo(ps |ly 53)]- 


Proof: Similar to the proof of Lemma 5. 


Next we pose the following main result of this section: “If a PSCLS 
satisfies the condition of Definition 13, 14, 15 and 16 then it is desynchroniz- 
able.” 


Theorem 2. Let ,(p |, ) be an arbitrary PSCLS satisfying the conditions 
in Definitions 13, 14, 15 and 16. Then for any m,n > 0 we have, 


Bo(P lly 8) 26 V(P ly Ble, ] lly 5). 


y 
Sketch of the proof: The proof of this theorem requires lots of case 
distinction and can be found in [5]. Here, we only give the witnessing 
branching bisimulation relation ®. Recall the relation ® defined in the proof 
of Theorem 1 and define a relation ® as follows, 


B20 LY {Al I, 8). V(0! ly B™" eH lly 8)) | 
sy, € Alph(S)*.| (A(P [ly #1), VP lly B"H.) [ly 81)) € A 
8o(P lly $1) ——» A(P ||, s)| \V (C6) 
Spi,ph, 818,64 € Alph(P)*.| (9o(p1 [Ly 8), V(r lly B"H 7] lly 8) € BA 
o(v\, lly 8!) ——» Do(P' Ly )A 


o(P1 lly 8) > Ao( ||, s)]$. (C7) 


7 Discussion 


In this section, we discuss in the context of desynchronizable closed loop 
system (Section 5), whether the reordering property (Definition 10) or the 
diamond property (Definition 11) can be further weakened to attain the 
same result (Theorem 1). 

Informally, the reordering property states that if the receiver (plant 
or supervisor) is willing to receive an input ?a and the sender (supervisor 
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or plant) can perform a sequence of outputs f,(j/).!a, then the receiver can 
receive the message a before receiving the sequence of outputs f,(//) in the 
SCLS?. To prevent such a stringent condition, one may design the following 
locking mechanism in a ACLS by allowing the execution of an output action 
at a sender’s state, whenever the input bag attached to it is empty. 


Example 4. Consider the behaviour of a plant p and a supervisor s specified 
by the following set of equations. 


p=?a.pi, pi =!b-p2, po =?c.p 
s =!a.s1, 8; =?b.s2, 89 =!c.s 


To observe the effect of a locking mechanism, consider the initial state of the 
ACLS, T)(Op 7 (P || B'" le, €] ||v 8)). The supervisor performs the output 
la and transforms to the state s1. Thus, we infer the following transition by 
the ACLS. 


Ra m,n 
TAOq UA ly BYTE, el lly 8)) — TOp a I, B"H Pa}, €] [ly $1)) 


Note that the supervisor in the state s,; is waiting for the input action ?b, 
while the plant in the state p can receive the input action ?a. Thus, the 
only possible transition at the state T)(Oqyaq(P ||, Be" {Pa}, €] ||, s1)) ts 
the plant removing the content from its input bag. A similar phenomenon 
can be observed in the other states of the ACLS. Moreover, it can be verified 
that the SCLS Ox(p ||, 8) is desynchronizable. 


From the above example it is clear that a locking mechanism can 
be implicitly built into a SCLS in order to avoid the reordering property. 
However, upon inspection it can be concluded that the reordering property 
is vacuously satisfied in the above example (there is nothing to reorder). 
This also suggests that the reordering property can be a suitable candidate 
for the necessary conditions for desynchronizability. 

In comparison to the reordering property, the diamond property can 
be further weakened. We give an example in which a SCLS satisfies well- 
posedness and reordering properties, and is still desynchronizable. 


Example 5. Consider the behavior of a plant and a supervisor specified by 
the following set of equations: 


p =?a.pi+?c.pa, 8 =!a.8,+!¢.89, 
pi =!b.p, po =!d.p $81 =?b.s, sg =?d.s © 


3Recall the definition of the function f, from Page 22. 
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pi{Pa}, e]si pi{Pc}, else 


pile, €]s1 pole, €]s2 
ple, {Pd} s1 ple, {2d}] 82 
Pb Pd 


Figure 10: Example 5, p[y,v]s = 7T7(Oquq(P ll, B''" [HV] |Ly ))- 


The transition system of the synchronous and asynchronous closed loop 
system is depicted in Figure 10. Clearly, the two transition system are 
branching bisimilar. 


Thus, we anticipate that the diamond property (Definition 11) can 
be further weakened. In particular, if the actions !?a, !?b € is are enabled 
at a state q then it may not be necessary for the traces !?a."b and !?b.!a 
to commute. Furthermore, we conjecture that if a SCLS satisfies the well- 
posedness property (Definition 9), the reordering property (Definition 10), 
and the weaker form of diamond property, then it is desynchronizable. 


8 Conclusions and Future Work 


The goal of this paper was to check for desynchronizability of a SCLS without 
building the corresponding asynchronous system. We presented sufficient 
conditions for desynchronizability in a process algebraic setting and showed 
that an asynchronous implementation using bags (of arbitrary size) is a 
refinement of the SCLS satisfying these conditions. Moreover, we generalized 
this result for PSCLSs whose alphabets may contain the external actions 
from the plant and its supervisor in addition to the communicated actions. 
The prominent features of our work can be summarized as follows: 


e We solve a refinement problem instead of a supervisory control problem, 
and do not compute a new supervisor in the presence of buffers, as done 
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in [4, 21]. Our approach is intended to be computationally cheaper 
than the one developed in [4, 21], however this conjecture needs to be 
verified by analyzing the complexities associated with the conditions 
presented here. In particular, we conjecture that supervisory control 
theory always results in SCLSs, which are well-posed (Definition 9), 
but the other conditions, (Definition 10 and Definition 11), are not 
likely to be attained so easily. 


e We present our conditions for desynchronizability over the components 
of a SCLS conjointly, in contrast with [9], where the check for the foam 
rubber wrapper principle on the two components was applied separately. 
Note the sender domination property from [9] is equivalent to the well 
posed condition (Definition 9). However, the two approaches are 
incomparable because in [9] the construction method M3 was studied 
while in this paper the construction method M1 is studied. 


e We use branching bisimulation equivalence instead of the failure equiv- 
alence that was adopted in [9]. As a consequence our techniques are 
applicable to all the weak equivalences in the ‘van Glabbeek spectrum’ 
[18] (including failure equivalence). The branching bisimulation is the 
preferred equivalence in TCP process algebra under the presence of T 
action [3]. Furthermore, the conditions (well-posedness and diamond 
property) given here are similar to the ones mentioned in [9], where 
sufficient conditions for desynchronizability was given modulo failure 
equivalence. Thus, we conjecture that achieving desynchronizability 
for weaker equivalences will not lead to weaker sufficient conditions. 


A topic that was not treated in this paper, is whether the conditions we 
posed are in fact reasonable for industrial applications. This may become 
clear in the near future, when we study the case studies involved with 
supervisory control theory in the context of the MULTIFORM project [1] 
with the language CIF [2]. The authors of CIF are currently developing 
techniques that will incorporate supervisory control theory and model based 
engineering into a single framework, thus making it suitable for the design 
of industrial applications. In particular, the elevator case study and the toy 
example, which were desynchronizable in [6] using the construction method 
M1, satisfy our conditions. 

The desynchronizability of SCLS present in either decentralized or hi- 
erarchical architecture of [20] is not answered completely, although initial 
results in this directions are presented here by the desynchronization of a 


36 H. Beohar, P. Cuijpers 


We ee he oe ee WS ee isch Se sy a ee oe I 
I ' 1 ' 
1 ' 1 ' 
1 ' 1 ' 
! ' 1 1 
1 i 1 1 
i V——_ al 

' ——46— H—_——>| i 
1 i i) i] 
; $2 ; Pp S] 
1 ' 1 ! 
— | ; 
1 <— t—— 1 
1 l 
1 I 


Figure 11: A SCLS in a decentralised architecture [20]. 


PSCLS (Section 6). Consider the SCLS dy(p ||, $1 ||, $2) in a decentral- 
ized architecture, which can be further decomposed into two PSCLS’s as 
shown in Figure 11. At this moment, we can only ascertain that these 
individual PSCLSs are desynchronizable by inspecting the sufficient condi- 
tions (Definitions 13, 14, 15, and 16) on them; however, to conclude that 
the overall desynchronizable closed loop system (i.e. Oy(p ||, 81 |[,, $2)) is 
desynchronizable, more research is required. 


Lastly, the research performed in this paper can of course be repeated 
for different architectures. One might study whether wires or queues can be 
used instead of bags, or study different abstraction schemes, or try to study 
the conditions for desynchronizability by focusing on other notions of weak 
equivalences. 
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